static void validateSignature(Credential validationCredential, SignableSAMLObject signableObj) { requireNonNull(validationCredential, "validationCredential"); requireNonNull(signableObj, "signableObj"); // Skip signature validation if the object is not signed. if (!signableObj.isSigned()) { return; } final Signature signature = signableObj.getSignature(); if (signature == null) { throw new SamlException("failed to validate a signature because no signature exists"); } try { signatureProfileValidator.validate(signature); SignatureValidator.validate(signature, validationCredential); } catch (SignatureException e) { throw new SamlException("failed to validate a signature", e); } }
public Signature getSignature() throws WSSecurityException { if (samlObject instanceof SignableSAMLObject) { return ((SignableSAMLObject)samlObject).getSignature(); } return null; }
/** * Method isSigned returns the signed of this SamlAssertionWrapper object. * * @return the signed (type boolean) of this SamlAssertionWrapper object. */ public boolean isSigned() { if (samlObject instanceof SignableSAMLObject && (((SignableSAMLObject)samlObject).isSigned() || ((SignableSAMLObject)samlObject).getSignature() != null)) { return true; } return false; }
/** * Get the SignatureValue bytes of the signed SAML Assertion * @return the SignatureValue bytes of the signed SAML Assertion * @throws WSSecurityException */ public byte[] getSignatureValue() throws WSSecurityException { Signature sig = null; if (samlObject instanceof SignableSAMLObject) { sig = ((SignableSAMLObject)samlObject).getSignature(); } if (sig != null) { return getSignatureValue(sig); } return null; }
/** {@inheritDoc} */ @Override public void doInvoke(@Nonnull final MessageContext messageContext) throws MessageHandlerException { final Object samlMsg = messageContext.getMessage(); if (!(samlMsg instanceof SignableSAMLObject)) { log.debug("{} Extracted SAML message was not a SignableSAMLObject, cannot process signature", getLogPrefix()); return; } final SignableSAMLObject signableObject = (SignableSAMLObject) samlMsg; if (!signableObject.isSigned()) { log.debug("{} SAML protocol message was not signed, skipping XML signature processing", getLogPrefix()); return; } final Signature signature = signableObject.getSignature(); performPrevalidation(signature); doEvaluate(signature, signableObject, messageContext); }
static void validateSignature(Credential validationCredential, SignableSAMLObject signableObj) { requireNonNull(validationCredential, "validationCredential"); requireNonNull(signableObj, "signableObj"); // Skip signature validation if the object is not signed. if (!signableObj.isSigned()) { return; } final Signature signature = signableObj.getSignature(); if (signature == null) { throw new SamlException("failed to validate a signature because no signature exists"); } try { signatureProfileValidator.validate(signature); SignatureValidator.validate(signature, validationCredential); } catch (SignatureException e) { throw new SamlException("failed to validate a signature", e); } }
if (signableObject.getDOM() == null && signableObject.getSignature() != null) { log.debug("Examining signed object for content references with exclusive canonicalization transform"); boolean sawExclusive = false; for (final ContentReference cr : signableObject.getSignature().getContentReferences()) { if (cr instanceof SAMLObjectContentReference) { final List<String> transforms = ((SAMLObjectContentReference)cr).getTransforms();
public Signature validateSignature(SignableSAMLObject object, List<SimpleKey> keys) { Signature result = null; if (object.isSigned() && keys != null && !keys.isEmpty()) { SignatureException last = null; for (SimpleKey key : keys) { try { Credential credential = getCredential(key, getCredentialsResolver(key)); SignatureValidator.validate(object.getSignature(), credential); last = null; result = getSignature(object) .setValidated(true) .setValidatingKey(key); break; } catch (SignatureException e) { last = e; } } if (last != null) { throw new org.springframework.security.saml.saml2.signature.SignatureException( "Signature validation against a " + object.getClass().getName() + " object failed using " + keys.size() + (keys.size() == 1 ? " key." : " keys."), last ); } } return result; }
protected Signature getSignature(SignableSAMLObject target) { org.opensaml.xmlsec.signature.Signature signature = target.getSignature(); Signature result = null; if (signature != null && signature instanceof SignatureImpl) { SignatureImpl impl = (SignatureImpl) signature; try { result = new Signature() .setSignatureAlgorithm(AlgorithmMethod.fromUrn(impl.getSignatureAlgorithm())) .setCanonicalizationAlgorithm(CanonicalizationMethod.fromUrn(impl .getCanonicalizationAlgorithm())) .setSignatureValue(org.apache.xml.security.utils.Base64.encode(impl.getXMLSignature() .getSignatureValue())) ; //TODO extract the digest value for (ContentReference ref : ofNullable(signature.getContentReferences()).orElse(emptyList())) { if (ref instanceof SAMLObjectContentReference) { SAMLObjectContentReference sref = (SAMLObjectContentReference) ref; result.setDigestAlgorithm(DigestMethod.fromUrn(sref.getDigestAlgorithm())); } } } catch (XMLSignatureException e) { //TODO - ignore for now } } return result; }
private static void signXMLObject(XMLObject xmlObject) throws WSSecurityException { if (xmlObject instanceof org.opensaml.saml.saml1.core.Response) { org.opensaml.saml.saml1.core.Response response = (org.opensaml.saml.saml1.core.Response)xmlObject; // Sign any Assertions if (response.getAssertions() != null) { for (org.opensaml.saml.saml1.core.Assertion assertion : response.getAssertions()) { signObject(assertion.getSignature()); } } signObject(response.getSignature()); } else if (xmlObject instanceof org.opensaml.saml.saml2.core.Response) { org.opensaml.saml.saml2.core.Response response = (org.opensaml.saml.saml2.core.Response)xmlObject; // Sign any Assertions if (response.getAssertions() != null) { for (org.opensaml.saml.saml2.core.Assertion assertion : response.getAssertions()) { signObject(assertion.getSignature()); } } signObject(response.getSignature()); } else if (xmlObject instanceof SignableSAMLObject) { signObject(((SignableSAMLObject)xmlObject).getSignature()); } }